Everything You Need to Know About Two-Factor Authentication (or 2FA)

When it comes to securing your accounts, aside from using services that have HTTPS and end-to-end encryption, it’s conventional wisdom to use two-factor authentication, also known by the acronyms 2FA or TFA. But what exactly is two-factor authentication, and how can you make sure you’re making the most of it? Continue reading as we cover all aspects of two-factor authentication so that you can learn how to best use it.

What exactly is two-factor authentication (2FA)?

We’ve previously discussed two-factor authentication, but we’ll cover it again here, briefly. Two-factor authentication is a two-part verification process that occurs when someone attempts to access sensitive information. This kind of process shouldn’t be too unfamiliar, as you use it every time you dip your debit card into an ATM or payment terminal and enter your PIN to complete the transaction. Having the physical card is the first factor, and knowing the appropriate PIN is the second factor. In the context of online accounts, the first factor tends to be your login credentials, which serve as a “knowledge-based” factor like your debit card’s PIN. The second factor is typically a sequence of randomly generated numbers – sometimes referred to as one-time tokens or one-time passwords – sent in a manner specified by you (e.g., as a text message or email). The idea is that the odds of both factors simultaneously being compromised is smaller than the odds of just one factor becoming compromised, adding an extra layer of security to your accounts.

How does two-factor authentication work?

We’ve given the gist of what two-factor authentication is, but how exactly does it work? As stated above, most implementations of this type of authentication generate a string of random numbers that you have to enter after logging into an online account. Currently, this code can be received three different ways, which we cover in-depth below.

SMS-based 2FA

For most, this type of two-factor authentication is the poster child of 2FA. This is because, as companies rushed to adopt two-factor authentication, SMS-based or texting-based authentication was the easiest to implement given the ubiquity of cell phones. Unfortunately, as the technology matured, it became apparent that this type of authentication wasn’t flawless. You might have read headlines in the past few years suggesting that two-factor authentication is in peril. It’s important to note that most critiques of this nature are referring very specifically to SMS-based authentication. The rise of abuses like smishing (SMS phishing) and phone porting, which cause victims to lose control over their phone numbers, are primarily to blame. Still, if left with a choice between SMS 2FA authentication and nothing, SMS-based 2FA will always be better. Although SMS-based authentication has vulnerabilities, there are some ways to stay relatively safe by understanding how these attacks work. Aside from SMS, many services also offer two-factor authentication over email and phone calls. These aren’t more secure than SMS, and in the case of email, it’s arguably even less secure because of how easily phishers can spoof messages and hijack email accounts.

Software/app-based 2FA

Another method of two-factor authentication involves the use of a third-party app (like Google Authenticator, Duo or Authy) and linking it to any account you wish to secure. Instead of receiving your one-time use codes through SMS, you can have the codes sent to your device through this app. The only issue is that this solution is a little bit more technical, as you’ll have to know what software authenticators exist and are reliable, what accounts support this type of authentication and how to link these apps to your accounts. Finally, most of these apps only save settings locally, and confusion about this one little detail can cause heartache.

To illustrate the problems this can cause, imagine you link an account through Google Authenticator and lose the device that you installed this app on. Installing Google Authenticator on another device won’t allow you to log into your linked account. That’s because every installation is local, meaning the settings are saved only on the device, and even an action like deleting the app will result in your settings being lost. Your account, though, will still be linked with the authentication app, so you’ll still be sent a code every time you log in, but as you won’t be able to receive it, you won’t be able to enter it. The good news is, these apps typically have backup codes generated ahead of time just for situations like these, so that you gain access and unlink the app with your device. If you didn’t save any backup codes, though (or if your chosen app didn’t generate them), you’ll be completely locked out of your account. There are some rare exceptions to this, such as the cloud-based authentication app Authy which lets you authenticate with multiple devices.

While all of these different authentication apps are considered to be better than SMS-based 2FA, their biggest weakness is in the account recovery process. Misplacing backup codes (e.g., if you’ve written them down) or having them intercepted means that anyone with the code can get into your account without trouble, given that these codes are designed to bypass two-factor authentication in situations where you can no longer use it. Therefore, if you choose this method, you’ll want to be careful to plan ahead for these kinds of situations.

Hardware token-based 2FA

Hardware or security tokens are arguably the most secure method of two-factor authentication, as they rely on a physical device in your possession for the authentication process. These devices are generally USB sticks or other types of key fobs that typically, but not always, interface with your computer. Some can interface with your phone through Bluetooth or Near Field Communication (NFC). Others are tiny devices with a chip that generates numbers, much like the codes sent to phones through SMS-based 2FA. In all cases, someone would need to have access to your device to see codes or access the credentials required to log in. These types of devices are generally used by corporate employees with access to sensitive information or by cybersecurity professionals, although companies like Yubico have begun to sell them to individuals as well. While the largest tech services like Google and Facebook support this technology in some form, unfortunately, not a lot of others do as of yet.

How can you ensure you’re making the most of two-factor authentication?

In order to strengthen the security of your accounts you should have some level of two-factor authentication for protection. Ideally, you should at least be using software and app based two-factor services — if not hardware tokens — given the inherent weaknesses of SMS/text-based authentication; however, this is not always viable as some services might not support those methods. If you do end up needing to use text-based two-factor authentication, you can harden it by using a number other than your primary phone number. By either getting another number and a cheap phone from your carrier, or by subscribing to a service like Google Voice or a VoIP phone service that supports text messaging, you can create a phone number no one knows about and, thus, is less likely to be spoofed or ported away from you.

What’s the future of two-factor authentication?

Many of today’s implementations of 2FA aren’t perfect, but recent security research illuminates the potential for even more secure authentication schemes. In the near term, many experts anticipate technologies like security tokens will become more widely available, which is a good thing, given their superiority among existing forms of two-factor authentication. Further into the future, all bets are off, as security technologies may begin to resemble science fiction. Some security literature suggests that, rather than constricting authentication to one or two identifiers, the ease of biometric verification might make multi-factor authentication – beyond just two factors – much more viable. Many security researchers have been interested in the potential of password-free logins through biometric and behavioral factors rolled into a unique profile. What does that mean? Imagine being able to combine things like your baseline heartbeat, the way you move a mouse or hold your phone together to create a unique login experience. These types of authentication factors are easy for computers to observe, but very hard for humans to detect and potentially spoof. Furthermore, unlike the current two-factor system, many of them can be deployed over the course of an entire session without interrupting a user’s activity, meaning that a user’s identity can be continuously verified to prevent unauthorized persons from hijacking a session.

Deployment of authentication systems using these kinds of identifiers, especially in conjunction with one another is going to be fraught with privacy concerns, of course. Additionally, selection of which types of behavioral and biometric factors are used is going to be very important as the increasing accuracy of DNA phenotyping, or the reading of biological features from residual genetic material, improves – a point we made when talking about Apple’s Face ID. The former concern might potentially be addressed by fully homomorphic encryption (FHE), the so-called holy grail of cryptography. Unlike other types of encryption which require data to be decrypted to be used, fully homomorphic encryption guarantees that data never has to be decrypted – which, in theory, means that neither hackers, nor developers will be able to use consumers’ biometric identifiers against them. While presently expensive and too prohibitive to use on a massive scale, there’s evidence that biometrics could one day be handled with this type of encryption. The latter concern, while important, is something that can be avoided if security researchers design systems with this knowledge in mind. It’s too early to predict precisely what will happen, but given these trends, it’s entirely possible that the goal of making systems more private and secure isn’t completely out of reach.

To learn more about how to stay safe online, as well as emerging developments in tech, continue reading our technology blog.

Leave a Reply

Thank you for your comment! It's currently being reviewed by our editors.

About Author

Michael Osakwe

Michael Osakwe is a NextAdvisor.com writer covering technology and a multitude of personal finance topics. His research has been featured in interviews with publications like Forbes, U.S. News & World Report, The International Business Times, and several others, He is a graduate of the University of California, Berkeley with a BA in Political Economy and a minor in Public Policy. You can follow him on Twitter @Michael_Advsr.

Advertiser Disclosure: NextAdvisor is a consumer information site that offers free reviews and ratings of online services. Many of the companies whose services we review provide us compensation when someone who clicks from our site becomes their customer. This is how we make money to support our site. The results of our analyses, calculators, reviews and ratings are based on objective quantitative and qualitative evaluation of all the cards on our site and are not affected by any compensation NextAdvisor may receive. Compensation may impact which products we review and write about and where those products appear. We do not review all products in a given category. All opinions expressed on this site are our own.